Why an identity governance program is important in healthcare

May 13, 2020

Controlling and securing access to protected health information (PHI) is one of the most critical issues facing healthcare organizations today. In this day and age of cybersecurity threats, rapid changes (like mergers and acquisitions, employee turnover, and evolving regulatory demands), provisioning solutions offer a robust method for role-based identity management, compliance with organizational policies, and risk management by proactively monitoring risk-areas. Automated provisioning solutions build on existing best practices and the collective experience of clinical, IT, HR and compliance staff. To be completely effective, these solutions should be tailored to each organization’s unique operational and governance structures.

The case for automated provisioning protocols

Larger facilities allocate thousands to tens of thousands of staff hours to manual provisioning and identity management processes. Average-sized healthcare organizations typically allocate four to six employees to manually handle provisioning and identity management tasks. These tasks comprise a large percentage of their work. Moreover, large mergers may involve thousands of IT hours dedicated to employee provisioning. Staffing changes and related access authorizations are frequent over the course of 10-15 years. This can lead to countless orphaned application accounts, subjecting a facility to regulatory compliance audits.

What worked on paper doesn’t typically work when healthcare organizations convert to electronic health records (EHRs) and other digital systems. It’s paramount to establish robust security and permission protocols before converting to an automated solution. Organizations must consider the role-based access privileges needed to achieve streamlined operations, while enforcing solid security protocols required to safeguard patient privacy.

Once protocols have been established, provisioning software helps organizations maintain confidential, HIPAA-compliant access to PHI and other records. It also allows automating the tasks of account creation, editing, or deleting, which are necessitated by continual employee lifecycle changes (like onboarding, promotions, or termination). Basic essentials of automated provisioning solutions must include:

  • Infrastructure to store and access identity information
  • Administrator tools to create access requirements
  • Automated processes related to identity access management (IAM)
  • Security or authentication features to protect sensitive information

Identity and access management reduces risks

A single data breach can cost a healthcare organization nearly $4 million. Data is shared across a wide variety of applications with an increasing number of clinicians who need quick, secure access. Access risk, coupled with multiple layers of privileges, remote access, and multifactor authentication create a challenging identity governance environment.

Single-sign on (SSO) and identity management are integral to improving inefficient processes burdening staff and creating risk. Provisioning identity management solutions facilitate identifying access to clinical applications and data for both internal and external users and prevent users from having too much access. Comprehensive reports allow auditors to gain deeper insights into potential access risks and take action based on this information, including the following scenarios:

  • Orphaned accounts
  • Abnormal access patterns
  • Inconsistent access rights
  • Inactive, shared, or unknown accounts

Integrated IAM solution for healthcare

Together, Imprivata Identity Governance, Imprivata OneSign®, and Imprivata Confirm IDTM comprise the only integrated identity and access management platform purpose-built for healthcare. The integrated solution enables fast, secure, No Click Access to clinical systems and applications. The robust combination of automated identity management with enterprise single sign-on and authentication management drives lower IT costs, increased data security, and more efficient clinical workflows. An integrated IAM platform reduces the burden on IT and allows clinicians to focus on providing quality patient care, exactly as it should be.